Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log: StartPage-DU.dll.dr


  • This topic is locked This topic is locked
5 replies to this topic

#1 Sledge321

Sledge321

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 05 April 2005 - 10:54 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:55:55 PM, on 4/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCDASH.EXE
C:\PROGRAM FILES\MCAFEE.COM\SHARED\MGHTML.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\IPSWITCH\WS_FTP HOME\WSBHO2K0.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [eDonkey2000] "C:\PROGRAM FILES\EDONKEY2000\EDONKEY2000.EXE" -t
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Startup] WinlogonStartup
O4 - HKLM\..\Run: [sre] rundll32.exe sre.dll,Register
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab
O18 - Filter: text/html - {85C34302-A0ED-11D9-BA4D-0010236D222A} - (no file)
O18 - Filter: text/plain - {85C34302-A0ED-11D9-BA4D-0010236D222A} - (no file)

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:38 AM

Posted 06 April 2005 - 07:52 AM

Hi there,

I think we are dealing with something new in here.
Let's find out.

* Download Startdreck
Unzip it to your desktop.
Doubleclick on startdreck.exe and click 'config'
Click 'Unmark all'.
Only check in the above:
Registry->run keys
System/drivers> Running processes.
Press OK
Make a log and paste the content of it in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Sledge321

Sledge321
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 07 April 2005 - 06:21 AM

StartDreck (build 2.1.7 public stable) - 2005-04-07 @ 07:25:26 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Sam Galbraith at SAM GALBRAITH

舞egistry
舞un Keys
翟urrent User
舞un
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
舞unOnce
聞efault User
舞un
*MsnMsgr="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*VSOCheckTask="C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
*VirusScan Online="C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
*MCAgentExe=C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
*MCUpdateExe=C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
*Smapp=C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
*CamMonitor=C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
*Share-to-Web Namespace Daemon=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
*eDonkey2000="C:\PROGRAM FILES\EDONKEY2000\EDONKEY2000.EXE" -t
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*LexmarkPrinTray=PrinTray.exe
*LXSUPMON=C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
*Lexmark X74-X75="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
*Startup=WinlogonStartup
*sre=rundll32.exe sre.dll,Register
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
舞unOnce
舞unServices
*Hidserv=Hidserv.exe run
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*McVsRte=C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
舞unServicesOnce
**fshb=rundll32 C:\WINDOWS\HTMLHEOP.HTM,DllGetClassObject
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F5629=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF02CD=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF0AB5=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFF1885=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFC5249=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFC0C45=C:\WINDOWS\RUNDLL32.EXE
+FFFC21F1=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFCA505=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFA41D1=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFA5C35=C:\WINDOWS\EXPLORER.EXE
+FFFAC025=C:\WINDOWS\TASKMON.EXE
+FFFAD5FD=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFA9D39=C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
+FFFA9031=C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
+FFF9F511=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF8BA75=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF7D781=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF914C9=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF852C5=C:\PROGRAM FILES\STARTDRECK\STARTDRECK.EXE
+FFFA8D05=C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
翠pplication specific

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:38 AM

Posted 07 April 2005 - 06:45 AM

Hello,

You also have to boot in DOS, to get rid of it, but that's for later.
Maybe it's better to print this out or save this in notepad.

* Download and install CCleaner
Do not use it yet.

* Download the latest version of CWShredder

* Open notepad and copy and paste next in the white field in it:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\New Windows]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchAssistant Uninstall]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce] 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

Save this as fix.reg , choose for save as *all files and save it on your desktop

* Reboot into Safe Mode`:
To get into safe mode as the computer is booting you press and hold your "F8 key" on the top of your keyboard or press and hold the left or right Ctrl key as the computer is booting. In this menu choose option 3 by pressing the 3 key and press enter.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.find-more.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [sre] rundll32.exe sre.dll,Register
O18 - Filter: text/html - {85C34302-A0ED-11D9-BA4D-0010236D222A} - (no file)
O18 - Filter: text/plain - {85C34302-A0ED-11D9-BA4D-0010236D222A} - (no file)


* Start CWShredder and click FIX

* Start Ccleaner and click Run Cleaner.

* Now we are going to boot in DOS,
* Click the Start button
* Select Shut Down
* Select Restart the computer in MS-DOS mode
* Click the Yes button

When in DOS...

Type:

del C:\WINDOWS\HTMLHEOP.HTM <enter>

Reboot your system and ignore the errors you will get.

Doubleclick fix.reg
*Answer Yes when prompted to add the contents to the registry..

I see you are still using a previous version of Adaware. So please update your adaware 6 to adaware SE, otherwise you wont be able to download and install the reference files.
Perform a full scan with adaware afterwards and let it delete everything it's finding.

Reboot again..
Make a new hijackthislog and startdrecklog and post it in your next reply

If you had any problems during this fix, please tell me afterwards.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:38 AM

Posted 07 April 2005 - 07:33 AM

The next entry seems suspicious too:

O4 - HKLM\..\Run: [Startup] WinlogonStartup

So maybe Silent runners will reveal some more info on it.

So I also need a silent runners-log:

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:38 AM

Posted 01 May 2005 - 03:10 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users